In order to infect other systems in the Peer to Peer network community the following action is performed: It retrieves shared folders by querying the following registry keys: • Software\BearShare\General • Software\iMesh\General • Software\Shareaza\Shareaza\Downloads • Software\Kazaa\LocalContent • Software\DC++ • Software\eMule • Software\Microsoft\Windows\CurrentVersion\Uninstall\eMule Plus_is1

It searches for directories that contain the following substring: • \Local Settings\Application Data\Ares\My Shared Folder

Messenger

It is spreading via Messenger. The characteristics are described below:

– MSN Messenger

The URL then refers to a copy of the described malware. If the user downloads and executes this file the infection process will start again.

Injection

– It injects itself as a remote thread into a process.

Process name: • explorer.exe

Miscellaneous

Internet connection:

It queries with the following names: • www.godown.ch • www.radines.ch • www.maxisex.ch

File details

Runtime packer: In order to aggravate detection and reduce size of the file it is packed with a runtime packer.